Closed Bug 1142323 Opened 11 years ago Closed 7 years ago

Add SwissSign SHA2 root certificate(s)

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: cornelia.enke, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: [ca-denied] Comment #47 - submit new roots in new bug)

Attachments

(9 files, 4 obsolete files)

1142323-Initial-CAInformation.pdf
251.98 KB, application/x-unknown
Details
1142323-CAInformation.pdf
274.64 KB, application/pdf
Details
Questionaire_Mozilla_20160922.pdf
1.26 MB, application/pdf
Details
SwissSign_SHA2_20170305.pdf
221.51 KB, application/pdf
Details
1142323-CAInformation-Complete.pdf
221.33 KB, application/pdf
Details
SwissSignAG_CA_BR_Self_Assessment_Q2_2017.pdf
139.78 KB, application/pdf
Details
10-05-2017-SwissSign-Confirmation-2017.pdf
82.92 KB, patch
Details | Diff | Splinter Review
10-05-2017-SwissSign-Confirmation-2017.pdf
82.92 KB, application/pdf
Details
1142323-CA-Information-March6-2018.pdf
285.30 KB, application/pdf
Details
CA Details ---------- CA Name: Swiss Sign Website: https://swisssign.com One Paragraph Summary of CA, including the following: - General nature (e.g., commercial, government, academic/research, nonprofit) - Primary geographical area(s) served Audit Type (WebTrust, ETSI etc.): ETSI TS 102042 and ETSI TS 101456 and ZertES (Swiss Signature Law) Auditor: KPMG Auditor Website: http://www.kpmg.com/ch/de/seiten/default.aspx Audit Document URL(s): please refer attachment Certificate Details: Platinum Subject name: / CN= SwissSign Platinum Root CA - G3/ O=SwissSign AG / C=CH Friendly name: SwissSign Platinum Root CA – G3 Validity date: ‎ ‎4. ‎August ‎2009 14:34:04 until ‎4. ‎August ‎2037 14:34:04 Thumbprint: ‎a1 e7 c6 00 aa 41 70 e5 b7 4b c9 4f 9b 97 03 ed c2 61 b4 b9 Desired extended key usage: Secure Email, Server Authentication, Client Authentication, Code Signing, Time Stamping CP: http://repository.swisssign.com/SwissSign-Platinum-CP-CPS.pdf EUA: http://repository.swisssign.com/SwissSign-Platinum-EUA-R4.pdf Subordinate CAs - see CP/CPS Chapter 1.1 CRL issuing frequency for subordinate end-entity certificates: 6h CRL issuing frequency for subordinate CA certificates: on event at least 6 month Certificate download URL (on CA website): https://swisssign.net/cgi-bin/authority/download Public key length (for RSA, modulus length) in bits: 4096 Bit Class: DV/identity/organizationally-validated Gold Subject name: / CN= SwissSign Gold Root CA - G3/ O=SwissSign AG / C=CH Friendly name: SwissSign Gold Root CA – G3 Validity date: ‎4. ‎August ‎2009 14:31:47 until ‎ ‎4. ‎August ‎2009 14:31:47 Thumbprint: 0b 71 99 a1 c7 f3 ad df 7b a7 ea b8 eb 57 4a e8 0d 60 dd de Desired extended key usage: Secure Email, Server Authentication, Client Authentication, Code Signing CP: http://repository.swisssign.com/SwissSign-Gold-CP-CPS.pdf EUA: https://www.swisssign.com/documents/SwissSign-Gold-EUA-R4.pdf Subordinate CAs - see CP/CPS Chapter 1.1 CRL issuing frequency for subordinate end-entity certificates: 6h CRL issuing frequency for subordinate CA certificates: on event at least 6 month Certificate download URL (on CA website): https://swisssign.net/cgi-bin/authority/download Public key length (for RSA, modulus length) in bits: 4096 Bit Class: Class: DV/identity/EV Silver Subject name: / CN=SwissSign Silver Root CA – G3 / O=SwissSign AG / C=CH Friendly name: SwissSign Silver Root CA – G3 Validity date: 4. ‎August ‎2009 14:19:14 until 4. ‎August ‎2037 14:19:14 Thumbprint: ‎8d 08 fc 43 c0 77 0c a8 4f 4d cc b2 d4 1a 5d 95 6d 78 6d c4 Desired extended key usage: Secure Email, Server Authentication, Client Authentication, Code Signing CP: http://repository.swisssign.com/SwissSign-Silver-CP-CPS.pdf EUA: https://www.swisssign.com/documents/SwissSign-Silver-EUA-R3.pdf Subordinate CAs - see CP/CPS Chapter 1.1 CRL issuing frequency for subordinate end-entity certificates: 6h CRL issuing frequency for subordinate CA certificates: on event at least 6 month Certificate download URL (on CA website): https://swisssign.net/cgi-bin/authority/download Public key length (for RSA, modulus length) in bits: 4096 Bit Class: Class: DV
Begging the Information Verification process: https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - Information Incomplete
The currently-included SHA-1 roots are: SwissSign Gold CA - G2 [Trust Bits: Websites;Email;Code] SwissSign Platinum CA - G2 [Trust Bits: Email;Code] SwissSign Silver CA - G2 [Trust Bits: Websites;Email;Code] For the SHA-2 roots, do you want to keep the same trust bits as the SHA-1 roots?
For each of the SwissSign Gold CA - G3 and SwissSign Silver CA - G3 roots, please provide the url to a website whose SSL cert chains up to the root. If you are requesting EV treatment for the Gold-G3 root, then please make sure the website's SSL cert is EV. Note that the websites may either be test websites or actual (in-use) websites. For the SwissSign Platinum CA - G2 root, please attach (to this bug) an example/test cert that chains up to the root.
Attached file Intial CA Information Document (obsolete) —
The attached document shows the information that has been verified, and where further information or clarification is needed. Please review the entire document for accuracy, and update this bug to provide corrections and the requested information.
Updated the CA Information document because Mozilla is no longer enabling the Code Signing trust bit for root certificates. Reference: https://groups.google.com/d/msg/mozilla.dev.security.policy/004uvRRnVyY/UAU7adNMBAAJ
Attachment #8580401 - Attachment is obsolete: true
The status of this request is that we are still waiting for the CA to review the attached CA Information document and provide the requested information (search for NEED in the CAInformation.pdf document).
Please review the attached document, and add comments in this bug to provide the additional requested information (search for NEED in the attached document).
Aaron and Francis, please complete the Information Verification for this request -- see the attachment in Comment #9 for the CA's updated information.
What I have to do that the Information will be verified?
Assignee: kwilson → awu
Hi Corneia, We are working on information verification based on Comment#12, please stay tuned. Thanks, Aaron
Whiteboard: EV - Information Incomplete → [ca-verification] - EV
Hi, We've done of 2nd round of Information Verification, please see the verified CA document as Comment#14 and see if all information are correct. Highlight here, there are still few info. below need you to provide: 1. SwissSign Gold Root CA - G3 - Test Website - Expired - Test Website - Revoked 2. SwissSign Platinum Root CA - G3 - Test Website - Valid - Test Website - Expired - Test Website - Revoked Note : CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.” Once all information are verified and the data above you provided, we can ready to move it to next stage. Thanks for your patient and cooperation! Regards, Aaron
HI, 1. SwissSign Gold Root CA - G3 https://gold-g3-valid-cert-demo.swisssign.net https://gold-g3-expired-cert-demo.swisssign.net https://gold-g3-revoked-cert-demo.swisssign.net 2. SwissSign Silver Root CA - G3 https://silver-g3-valid-cert-demo.swisssign.net https://silver-g3-expired-cert-demo.swisssign.net https://silver-g3-revoked-cert-demo.swisssign.net 3. SwissSign Platinum Root CA - G3 - is issuing qualified Certificates for Individuals and legal Entities and no certificates for Webservers Regards Conny
Hi, The information verification is completed, please see the attachment as Comment#17. If no problem with all information, It is ready for public discussion.
Hi Aaron please rplace the following section: SwissSign operates an Issuing CA for the Swiss Post. SwissSign also provides managed PKI services. Registration Services may be used internationally. SwissSign operates as Issuing CA for public trusted certificates (PTC). SwissSign also provides managed PKI services. Registration Services may be used internationally.
Hi, Updated "Primary Market / Customer Base" as comment#19. This request is ready for Public Discussion if no other quesiton. Kind regards, Aaron
thanks - please put it to the public discussion. What is the estimeted time for public discussion? Kind Regards, Conny
Whiteboard: [ca-verification] - EV → [ca-ready-for-discussion 2017-03-16] -- EV
Hi Conny, The following wiki shows the timeline that it takes to complete each of the phases of the root inclusion process for a CA, please for reference. https://wiki.mozilla.org/CA:How_to_apply#Timeline Kind regards, Aaron
Hi Aaron, I can´t find SwissSign on the public Discussion List? https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion I am are on th right site? Kind Regards Conny
This is the new Audit conformation for 2017
Attachment #8818811 - Attachment is obsolete: true
(In reply to Corneia Enke from comment #23) > Hi Aaron, > > I can´t find SwissSign on the public Discussion List? > https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion > I am are on th right site? > > Kind Regards Conny The queue for discussion has been moved here: https://wiki.mozilla.org/CA/Dashboard#Ready_for_Public_Discussion
Cornelia, Please perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug. Note: Current version of the BRs: https://cabforum.org/baseline-requirements-documents/ Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf = Background = We are adding a BR-self-assessment step to Mozilla's root inclusion/change process. Description of this new step is here: https://wiki.mozilla.org/CA:BRs-Self-Assessment It includes a link to a template for CA's BR Self Assessment, which is a Google Doc: https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Phase-in plan is here: https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ In particular, note: + For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion.
Whiteboard: [ca-ready-for-discussion 2017-03-16] -- EV → [ca-ready-for-discussion 2017-03-16] -- EV -- - Need BR Self Assessment
(In reply to Corneia Enke from comment #24) > Created attachment 8853299 [details] > 29-03-2017-SwissSign-Confirmation-2017_Final_lli.pdf > > This is the new Audit conformation for 2017 I am concerned about a few things I see in this audit statement: 1) "KPMG has performed a point in time audit. The reference date is 8 March 2017." Mozilla needs an annual period-of-time assessment, per section 8.1 of the Baseline Requirements: "The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods. An audit period MUST NOT exceed one year in duration." A single point-in-time audit is not sufficient for the required annual audit. 2) "We were not engaged to and did not conduct an examination, the objective of which would be the expression of an opinion on the Application for Extended Validation (EV) Certificate. " What does that mean? 3) "Accordingly, we do not express such an opinion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you." What exactly is this referring to? What additional procedures did not get evaluated?
Product: mozilla.org → NSS
(In reply to Kathleen Wilson from comment #26) > Cornelia, > Please perform the BR Self Assessment, and attach the resulting > BR-self-assessment document to this bug. > > Note: > Current version of the BRs: > https://cabforum.org/baseline-requirements-documents/ > Until a version of the BRs is published that describes all of the allowed > methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain > validation): > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf > > = Background = > > We are adding a BR-self-assessment step to Mozilla's root inclusion/change > process. > > Description of this new step is here: > https://wiki.mozilla.org/CA:BRs-Self-Assessment > > It includes a link to a template for CA's BR Self Assessment, which is a > Google Doc: > https://docs.google.com/spreadsheets/d/ > 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing > > Phase-in plan is here: > https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/ > Fi9y6vOACQAJ > In particular, note: > + For the CAs currently in the queue for discussion, I would ask them to > perform this BR Self Assessment before I would start their discussion. --> File uploaded on 05th of Mai 2017
Hi Corneia, Thanks to provide BR Self Assessment, that is very helpful to make it moving forward. We will review/verify BR Self Assessment, update in Salesforce, and sooner start the public discussion. Please stay tuned, thank you! Kind regards, Aaron
Whiteboard: [ca-ready-for-discussion 2017-03-16] -- EV -- - Need BR Self Assessment → [ca-ready-for-discussion 2017-03-16] -- EV - BR Self Assessment Completed
improvings on the Attestation letter based on the Input from Mozilla
Attachment #8853299 - Attachment is obsolete: true
I still need a response to Comment 27.
(In reply to Corneia Enke from comment #31) > Created attachment 8867669 [details] [diff] [review] > 10-05-2017-SwissSign-Confirmation-2017.pdf > > improvings on the Attestation letter based on the Input from Mozilla I can't seem to view the document. Please try to attach it again.
re #33 - try this
(In reply to Andrew Whalley from comment #34) > Created attachment 8867948 [details] > 10-05-2017-SwissSign-Confirmation-2017.pdf > > re #33 - try this Thanks, Andrew! Considering the updated audit statement in regards to my previous comments... (In reply to Kathleen Wilson from comment #27) > (In reply to Corneia Enke from comment #24) > > Created attachment 8853299 [details] > > 29-03-2017-SwissSign-Confirmation-2017_Final_lli.pdf > > > > This is the new Audit conformation for 2017 > > I am concerned about a few things I see in this audit statement: > > 1) "KPMG has performed a point in time audit. The reference date is 8 March > 2017." > > Mozilla needs an annual period-of-time assessment, per section 8.1 of the > Baseline Requirements: > "The period during which the CA issues Certificates SHALL be divided into an > unbroken sequence of audit periods. An audit period MUST NOT exceed one year > in duration." > > A single point-in-time audit is not sufficient for the required annual audit. > In the updated audit statement, the phrase "Point in Time" was removed, and replaced with: "Our certification audit field work commenced on 9 January 2017 and was completed on 8 March 2017". I do not understand what that means with respect to the audit period. Was certificate issuance only observed for those two days? Or was there an assessment of the certificates that had been issued over the prior year? If the later, then what were the audit period start and end dates? For a definition of "audit period" see section 1.6.1 of https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8.pdf > 2) "We were not engaged to and did not conduct an examination, the objective > of which would be the expression of an opinion on the Application for > Extended Validation (EV) Certificate. " > > What does that mean? > That was removed in the updated audit statement. So, was the EVCP policy evaluated for some of the listed root certificates? If yes, which root certificates? > > 3) "Accordingly, we do not express such an opinion. Had we performed > additional procedures, other matters might have come to our attention that > would have been reported to you." > > What exactly is this referring to? What additional procedures did not get > evaluated? That was removed in the updated audit statement, but it is still not clear to me which root certificates were evaluated according to the DVCP, PTC-BR, EVCP, LCP, NCP policies/criteria, and the period of time over which those CA hierarchies were evaluated.
(In reply to Kathleen Wilson from comment #27) >> > 29-03-2017-SwissSign-Confirmation-2017_Final_lli.pdf >> > > > This is the new Audit conformation for 2017 >> >> I am concerned about a few things I see in this audit statement: >> >> 1) "KPMG has performed a point in time audit. The reference date is 8 March > > 2017." > > > > Mozilla needs an annual period-of-time assessment, per section 8.1 of the > > Baseline Requirements: > > "The period during which the CA issues Certificates SHALL be divided into an > > unbroken sequence of audit periods. An audit period MUST NOT exceed one year > > in duration." > > > > A single point-in-time audit is not sufficient for the required annual audit. > > > In the updated audit statement, the phrase "Point in Time" was removed, and replaced with: > "Our certification audit field work commenced on 9 January 2017 and was completed on 8 March > 2017". > I do not understand what that means with respect to the audit period. > Was certificate issuance only observed for those two days? > Or was there an assessment of the certificates that had been issued over the prior year? > If the later, then what were the audit period start and end dates? > For a definition of "audit period" see section 1.6.1 of > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8.pdf “KPMG performs continuous PKI audits for SwissSign AG and has executed a main certification audit in year 2017 (surveillance certification audits against the mandatory standardizations listed in the following section are scheduled for 2018).” Sorry, the precise formulation in the English language is probably not quite successful here. The audit period is the timeframe between the last and the new Audit Report. In the Report itself the timeframe for doing the inspections onsite is described. Generally KPMG inspects samples selected from the whole year’s process. >> 2) "We were not engaged to and did not conduct an examination, the objective >> of which would be the expression of an opinion on the Application for >> Extended Validation (EV) Certificate. " >> >> What does that mean? >> >That was removed in the updated audit statement. >So, was the EVCP policy evaluated for some of the listed root certificates? >If yes, which root certificates? The auditor complies with the Swiss law ZertES (which does not include the EV certificates) and on the other hand according to ETSI (which includes all requirements of the CA Browser Forum to the EV certificates). Unfortunately the sentence in the first version was mistakenly taken from the perspective of ZertES Audit and therefore deleted for the ETSI Audit report in the last version. The audit comprised of cause the full audit also for the EVCP policy of the following roots: Gold Root G2 Gold Root G3 >> >> 3) "Accordingly, we do not express such an opinion. Had we performed >> additional procedures, other matters might have come to our attention that >> would have been reported to you." > > > > What exactly is this referring to? What additional procedures did not get > > evaluated? >That was removed in the updated audit statement, but it is still not clear to me which root certificates >were evaluated according to the DVCP, PTC-BR, EVCP, LCP, NCP policies/criteria, and the period of time >over which those CA hierarchies were evaluated. The original sentence was probably intended as a guarantee to the auditor that they always rely on exemplary examples in the evaluation. Since, according to Swiss law, the auditor is fully liable for a defective audit of a certification body, the auditor is always inclined to choose the wording carefully. In doing so, they wanted to point out that even a thorough audit can always provide a situation in which points are overlooked. However, since this is a fundamental problem of any audit, this sentence was omitted in the new version. As a full ETSI based evaluation it was done in regard to the CP/CPS for the following CA and the following policies: SwissSign Platinum G2 - NCP+ (http://repository.swisssign.com/SwissSign-Platinum-CP-CPS.pdf) SwissSign Gold G2 – EVCP, NCP, DVCP, PTC-BR (http://repository.swisssign.com/SwissSign-Gold-CP-CPS.pdf) SwissSign Silver G2 – LCP, PTC-BR (http://repository.swisssign.com/SwissSign-Silver-CP-CPS.pdf) SwissSign Platinum G3 - NCP+(http://repository.swisssign.com/SwissSign-Platinum-CP-CPS.pdf) SwissSign Gold G3 – EVCP, NCP, DVCP, PTC-BR (http://repository.swisssign.com/SwissSign-Gold-CP-CPS.pdf) SwissSign Silver G3 – LCP, PTC-BR (http://repository.swisssign.com/SwissSign-Silver-CP-CPS.pdf)
Depends on: 1374381
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
My understanding is that this request is for inclusion of the following three root certificates: 1) SwissSign Gold Root CA - G3 Trust Bits: Websites (TLS/SSL), Email (S/MIME) EV Treatment: Yes Audit Statements: Yes, see Comment #37. 2) SwissSign Silver Root CA - G3 Trust Bits: Websites (TLS/SSL), Email (S/MIME) EV Treatment: No Audit Statements: Need period-of-time audit statements (standard and BR) for 2016 and 2017 3) SwissSign Platinum Root CA - G3 Trust Bits: Email (S/MIME) EV Treatment: No Audit Statements: Need period-of-time audit statements for 2016 and 2017 Cornelia, If you are still requesting inclusion of the 'SwissSign Silver Root CA - G3' and 'SwissSign Platinum Root CA - G3', then please provide the corresponding audit statements for 2016 and 2017.
Unless I hear otherwise, I'll refer to the following audit statements. SwissSign Silver Root CA - G3 https://bug343756.bmoattachments.org/attachment.cgi?id=8781268 Date on statement: 18 March 2016 "KPMG has executed a main certification audit in year 2013, and surveillance certification audits in 2014 and 2015 against the mandatory standardizations listed in the following section (specified information/procedure/results)." ... "ETSI TS 102 042 V2.4.1 or later (DVCP and PTC-BR policies)" and "ETSI TS 102 042 V2.4.1 or later (LCP and NCP policies)" This audit lists all three of these root certs. https://bug1142323.bmoattachments.org/attachment.cgi?id=8867948 Date on statement: 10 Mai 2017 "KPMG performs continuous PKI audits for SwissSign AG and has executed a main certification audit in year 2017" "ETSI TS 102 042 V2.4.1 or later (DVCP and PTC-BR policies)" and "ETSI TS 102 042 V2.4.1 or later (LCP and NCP policies)" This audit lists all three of these root certs.
This root inclusion request is ready for the Detailed CP/CPS Review phase, step 3 of https://wiki.mozilla.org/CA/Application_Process#Process_Overview so assigning this bug to Wayne.
Assignee: kwilson → wthayer
Whiteboard: [ca-ready-for-discussion 2017-03-16] -- EV - BR Self Assessment Completed → [ca-cps-review] - KW 2018-03-06
Upon further consideration I realized that the audit statements for two of these root certs are not period-of-time audits, so they do not meet Mozilla's requirements. So moving this request back to 'Information Verification' phase until the CA updates this bug with: Option A: complete period-of-time audits for all three root certs Option B: change this request to be only for inclusion of the 'SwissSign Gold Root CA – G3' root cert. Details: 1) SwissSign Gold Root CA – G3 SHA-256 Fingerprint 7A:F6:EA:9F:75:3A:1E:70:9B:D6:4D:0B:EB:86:7C:11:E8:C2:95:A5:6E:24:A6:E0:47:14:59:DC:CD:AA:15:58 Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2017113002_Browser_Audit_Atesttation_s.pdf Audit period: 10-October-2016 to 9-October-2017 The audit statement for this root appears to be OK. I think we could proceed with the inclusion process for this root, if the CA would like to change this request to be just for this root. 2) SwissSign Platinum Root CA - G3 SHA-256 Fingerprint 59:B3:82:9F:1F:F4:43:34:49:58:FA:E8:BF:F6:21:B6:84:C8:48:CF:BF:7E:AD:6B:63:A6:CA:50:F2:79:4F:89 Not currently included in Mozilla's program. Inclusion Request: https://bugzilla.mozilla.org/show_bug.cgi?id=1142323#c40 Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8861552 Audit Period: None! I think this was a surveillance audit with no period-of-time assessment, so this does not meet Mozilla's audit requirements. 3) SwissSign Silver Root CA – G3 SHA-256 Fingerprint 1E:49:AC:5D:C6:9E:86:D0:56:5D:A2:C1:30:5C:41:93:30:B0:B7:81:BF:EC:50:E5:4A:1B:35:AF:7F:DD:D5:01 Audit Period: None! I think this was a surveillance audit with no period-of-time assessment, so this does not meet Mozilla's audit requirements.
Assignee: wthayer → kwilson
Whiteboard: [ca-cps-review] - KW 2018-03-06 → [ca-verifying] - Need Period-of-time audits
Reference bug 1374381 for more information on audit issues affecting these roots. The new 2018 audit statement for the Silver G3 root is point-in-time, and thus not acceptable: https://it-tuv.com/wp-content/uploads/2018/07/AA2018070304_Audit_Attestation_TA_CERT__SwissSign_Silver_G3_signed.pdf
The statement is correct. Since the Silver, Gold and Platinum CA G3 is not yet included in all Root Stores, we do not issue any certificates for our customers under the G3 CA hierarchy to date. This in turn means that no application documents and issued certificates for end users can be considered for these certificate types. According to this fact we have a point in time statement for the G3 CA hierarchy. As soon as the G3 is also included in Mozilla, we can switch our certificate products to the G3 generation certificates. SwissSign will then perform a corresponding audit with TüV Trust IT after 3 months to complete the corresponding period in time audit. When the issuing CAs for the SwissSign products are switched from the G2 to the G3 root , the application and verification processes established by SwissSign remain the same and will not be changed. This will be proven by the audit (period in time) as stated above. Best Regards Cornelia Enke
Mozilla policy requires contiguous audits (section 3.1.3) and states "Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." (section 7.1). CAs typically achieve this by including rollover roots on the same audit statements as their existing roots. In this case, we have a set of roots that are being audited separately and do not have contiguous audits that attest to their compliance from the time they were created. A PIT audit is not sufficient. This is similar to the OISTE WiseKey situation discussed in the following thread, and resulting in WiseKey needing to perform a period-of-time audit: https://groups.google.com/d/msg/mozilla.dev.security.policy/E1u_JDFsk3o/LAEOacJZCwAJ
Here is my understanding of the audit history for these G3 roots, which all have Valid From set to August 4, 2009. SwissSign Gold Root CA - G3 SHA-256 Fingerprint: 7AF6EA9F753A1E709BD64D0BEB867C11E8C295A56E24A6E0471459DCCDAA1558 Current Audit: https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/de/AA2017113002_Browser_Audit_Atesttation_s.pdf Audit Statement Date: 11/30/2017 Audit Period Start: 10/10/2016 Audit Period End: 10/9/2017 ** This was the first period-of-time audit for this root. ** Both the Websites and Email trust bits requested for this root. SwissSign Silver Root CA - G3 SHA-256 Fingerprint: 1E49AC5DC69E86D0565DA2C1305C419330B0B781BFEC50E54A1B35AF7FDDD501 Current Audit: https://it-tuv.com/wp-content/uploads/2018/07/AA2018070304_Audit_Attestation_TA_CERT__SwissSign_Silver_G3_signed.pdf Audit Statement Date: 7/3/2018 The audit statement says: "For this Root CA and Sub CA, the audit has been performed as point in time audit as these do not yet issue certificates to end entities." ** Both the Websites and Email trust bits requested for this root. SwissSign Platinum Root CA - G3 SHA-256 Fingerprint: 59B3829F1FF443344958FAE8BFF621B684C848CFBF7EAD6B63A6CA50F2794F89 Audit: https://it-tuv.com/wp-content/uploads/2018/07/AA2018070302_Audit_Attestation_TA_CERT__SwissSign_Platinum_G3_signed.pdf Audit Statement Date: 7/3/2018 The audit statement says: "For this Root CA and Sub CA, the audit has been performed as point in time audit as these do not yet issue certificates to end entities." ** Only the Email trust bit requested for this root, so the BRs do not apply. However, Mozilla's Root Store Policy still does apply. As Wayne pointed out in Comment #46, the audit history that has been provided for these G3 root certificates does not meet the requirements of Mozilla's root store policy. Therefore, I think it is unlikely that these G3 root certificates would be approved for inclusion in Mozilla's root store. As such, I am going to deny this request to include these G3 root certificates. SwissSign may submit a new root inclusion request, by creating a new Bugzilla Bug, for inclusion of newer root certs that fully comply (from creation) with the requirements of Mozilla's Root Store Policy and the BRs. Reference: https://wiki.mozilla.org/CA/Application_Process
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Whiteboard: [ca-verifying] - Need Period-of-time audits → [ca-denied] Comment #47 - submit new roots in new bug
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: